Access Policy Language Overview

The topics in this section describe the basic elements used in bucket and user
policies as used in Amazon S3. For complete policy language information, see the
Overview of IAM Policies and
the AWS IAM Policy Reference
topics in the IAM User Guide.

Note

Bucket policies are limited to 20 KB in size.

Common Elements in an
Access Policy

In its most basic sense, a policy contains the following elements:

Resources – Buckets and objects
are the Amazon S3 resources for which you can allow or deny permissions. In
a
policy, you use the Amazon Resource Name (ARN) to identify the resource.

Actions – For each resource, Amazon S3
supports a set of operations. You identify resource operations you will
allow (or deny) by using action keywords (see Specifying Permissions in a Policy).

For example, the s3:ListBucket permission will allow the
user permission to the Amazon S3 GET Bucket (List Objects) operation.

Effect – What the effect will be
when the user requests the specific action—this can be either
allow or deny.

If you do not explicitly grant access to (allow) a resource, access is
implicitly denied. You can also explicitly deny access to a resource,
which you might do in order to make sure that a user cannot access it,
even if a different policy grants access.

Principal – The account or user
who is allowed access to the actions and resources in the statement. You
specify a principal only in a bucket policy. It is the user, account,
service, or other entity who is the recipient of this permission. In a
user policy, the user to which the policy is attached is the implicit
principal.

The following example bucket policy shows the preceding common policy elements.
The policy allows Dave, a user in account Account-ID,
s3:GetBucketLocation, s3:ListBucket and
s3:GetObject Amazon S3 permissions on the examplebucket
bucket.